On Fri, 21 Sep 2007, Gerry Reno wrote: > Ok, what I've found is that if I set the 'hit_count' high to say 100 > then I can login but the connection dies very quickly (actually it just > hangs). So I think the limit rule is applying to more than just NEW > packets. The higher that I set 'hit_count' the longer the connection > will last. So is there something wrong with the way I've implemented > this or is this a bug in iptables or the kernel?
Is this your problem? It's the tail (not in the HOWTO yet) of an off-list exchange from a similar sounding problem. You can start here http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.filter_rules.html#gratuitous_icmp Joe -------------- From: Klaas Jan Wierenga <[EMAIL PROTECTED]> To: Joseph Mack NA3T <[EMAIL PROTECTED]> Cc: Horms <[EMAIL PROTECTED]>, Graeme Fowler <[EMAIL PROTECTED]> Subject: Re: lvs: off-list: Re: Long sessions through LVS DR director terminatedbyicmp-host-prohibited (ICMP type 3 code 10) Hi all, Not really. It appears to be a netfilter problem because when I changed my firewall rules (/etc/sysconfig/iptables) to disable connection tracking, the problem went away. # Don't do connection tracking on port 80 and 8000 because sometimes it results in dropped connections due to ICMP_HOST_UNREACHABLE messages #-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 80 --state NEW -j ACCEPT #-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 8000 --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp --dport 8000 -j ACCEPT -- Joseph Mack NA3T EME(B,D), FM05lw North Carolina jmack (at) wm7d (dot) net - azimuthal equidistant map generator at http://www.wm7d.net/azproj.shtml Homepage http://www.austintek.com/ It's GNU/Linux! _______________________________________________ LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org Send requests to [EMAIL PROTECTED] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
